Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected With Torjan, Or Adware Pop-ups.. [CLOSED]


  • This topic is locked This topic is locked

#1
BCHurricane89

BCHurricane89

    Member

  • Member
  • PipPip
  • 26 posts
Hello, my dads laptop is infected big time with something, a trojan thing keeps popping up too, im not to sure. Please take a look at the logs. THANKS!

Deckard's System Scanner v20071014.68
Run by uskbxl03 on 2008-07-27 12:26:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
54: 2008-07-27 16:26:38 UTC - RP192 - Deckard's System Scanner Restore Point
53: 2008-07-27 16:00:31 UTC - RP191 - Software Distribution Service 3.0
52: 2008-07-27 01:29:46 UTC - RP190 - Software Distribution Service 3.0
51: 2008-07-26 16:00:25 UTC - RP189 - Software Distribution Service 3.0
50: 2008-07-25 16:00:26 UTC - RP188 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-21 14:38:09 UTC - RP139 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as uskbxl03.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28, on 2008-07-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\onuhqjen.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\uskbxl03\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\uskbxl03.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.kellogg.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.kellogg.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Kellogg Company
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://configscript....ard/INSTALL.INS
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UtilWinSet] C:\WINDOWS\system32\onuhqjen.exe
O4 - HKCU\..\Run: [cmdcfg] C:\WINDOWS\system32\jqjuvqbc.exe
O4 - HKCU\..\Run: [CfgSmart] C:\WINDOWS\system32\tyterwxc.exe
O4 - HKCU\..\Run: [strshui] C:\WINDOWS\system32\nkzulclq.exe
O4 - HKLM\..\Policies\Explorer\Run: [9F8ATTTXED] C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe
O4 - Startup: .security
O4 - Global Startup: .security
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.books24x7.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.ctadvantage.com
O15 - Trusted Zone: *.elementk.com
O15 - Trusted Zone: *.elm-wilke
O15 - Trusted Zone: *.elmsrv025
O15 - Trusted Zone: kelloggs.empowerdata.com
O15 - Trusted Zone: www.genesys.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: www.genesysmeetingcenter.com
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.us.kellogg.com
O15 - Trusted Zone: *.lbcity.biz
O15 - Trusted Zone: *.newhorizons.com
O15 - Trusted Zone: www.schneiderlogistics.com
O15 - Trusted Zone: *.shareholder.com
O15 - Trusted Zone: *.stcdev008
O15 - Trusted Zone: *.xatanet.net
O15 - Trusted Zone: *.zoomerang.com
O15 - Trusted Zone: *.books24x7.com (HKLM)
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.ctadvantage.com (HKLM)
O15 - Trusted Zone: *.elementk.com (HKLM)
O15 - Trusted Zone: *.elm-wilke (HKLM)
O15 - Trusted Zone: *.elmsrv025 (HKLM)
O15 - Trusted Zone: kelloggs.empowerdata.com (HKLM)
O15 - Trusted Zone: www.genesys.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: www.genesysmeetingcenter.com (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O15 - Trusted Zone: *.us.kellogg.com (HKLM)
O15 - Trusted Zone: *.lbcity.biz (HKLM)
O15 - Trusted Zone: *.newhorizons.com (HKLM)
O15 - Trusted Zone: www.schneiderlogistics.com (HKLM)
O15 - Trusted Zone: *.shareholder.com (HKLM)
O15 - Trusted Zone: *.stcdev008 (HKLM)
O15 - Trusted Zone: *.xatanet.net (HKLM)
O15 - Trusted Zone: *.zoomerang.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O21 - SSODL: UiCom - {4354AA3D-341D-D542-D280-01732E429484} - C:\Program Files\rnzwmhf\UiCom.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cisco Configuration Service (CCS) - Cisco Systems, Inc. - C:\WINDOWS\system32\ccs.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 12567 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADLTScriptFile - shell\open\command - "c:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Shockprf - c:\windows\system32\drivers\shockprf.sys <Not Verified; Lenovo.; ThinkVantage Active Protection System>
R1 ShockMgr - c:\windows\system32\drivers\shockmgr.sys <Not Verified; Lenovo.; ThinkVantage Active Protection System>
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.1.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.1.0>
R2 MDC80211 (iPass Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc80211.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>

S3 PCAM1394 - c:\windows\system32\drivers\pcam1394.sys <Not Verified; PHOTRON Ltd.; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCS (Cisco Configuration Service) - c:\windows\system32\ccs.exe <Not Verified; Cisco Systems, Inc.; Cisco Configuration Service (CCS)>
R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS>
R2 iPCAgent - c:\program files\ipass\ipassconnect\ipcagent.exe <Not Verified; iPass, Inc.; iPCAgent Module>
R2 TPHDEXLGSVC (ThinkPad HDD APS Logging Service) - system32\tphdexlg.exe <Not Verified; Lenovo.; ThinkVantage Active Protection System>
R2 Wuser32 (SMS Remote Control Agent) - c:\windows\system32\ccm\clicomp\remctrl\wuser32.exe <Not Verified; Microsoft Corporation; Systems Management Server>

S3 ACS (ACU Configuration Service) - c:\windows\system32\acs.exe
S3 iPassConnectEngine - c:\program files\ipass\ipassconnect\ipassconnectengine.exe <Not Verified; iPass; iPassConnectEngine Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2008-07-14 13:24:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2005-06-08 08:10:04 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2005-06-03 11:23:49 314 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

6137-61-37 13:76:09 0 d-------- U:\Windows
6137-61-37 13:76:09 0 d-------- U:\usvjxt30
6137-61-37 13:76:09 0 d-------- U:\uskbxl03
6137-61-37 13:76:09 0 d-------- U:\uscrlw08
6137-61-37 13:76:09 131072 -----n--- U:\Uninstal.EXE
6137-61-37 13:76:09 0 d-------- U:\U.P. 06 Pics <UP1E4F~1.06P>
6137-61-37 13:76:09 0 d-------- U:\TIME TRACKING
6137-61-37 13:76:09 0 d-------- U:\Snacks front end
6137-61-37 13:76:09 0 d--hs---- U:\RECYCLER
6137-61-37 13:76:09 0 d-------- U:\Oregen Photos
6137-61-37 13:76:09 0 d-------- U:\Notes_bak
6137-61-37 13:76:09 0 d-------- U:\Notes
6137-61-37 13:76:09 0 d-------- U:\New Folder
6137-61-37 13:76:09 0 dr------- U:\My Videos
6137-61-37 13:76:09 0 d-------- U:\My Pictures
6137-61-37 13:76:09 0 dr------- U:\My Music
6137-61-37 13:76:09 0 d-------- U:\misc
6137-61-37 13:76:09 196638 -----n--- U:\Kellogg_Backup_WKKI.EXE <Not Verified; Microsoft Corporation; Microsoft Systems Management Server Installer>
6137-61-37 13:76:09 0 d-------- U:\front end
6137-61-37 13:76:09 0 d-------- U:\Expenses
6137-61-37 13:76:09 0 d-------- U:\Deckard
6137-61-37 13:76:09 0 d-------- U:\Data
6137-61-37 13:76:09 0 d-------- U:\data mail
6137-61-37 13:76:09 672659 -----n--- U:\cad
6137-61-37 13:76:09 0 d-------- U:\CAD FILES
6137-61-37 13:76:09 165803 -----n--- U:\Backrdir.EXE <Not Verified; Microsoft Corporation; Microsoft Systems Management Server Installer>
6137-61-37 13:76:09 0 d-------- U:\Adobe
2008-07-27 12:28:38 0 d-------- C:\Program Files\Trend Micro
2008-07-26 21:34:06 0 d-------- C:\WINDOWS\LastGood
2008-07-24 22:57:30 0 dr-h----- C:\Documents and Settings\uskbxl03\Recent
2008-07-24 21:12:24 68096 --a------ C:\WINDOWS\zip.exe
2008-07-24 21:12:24 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-24 21:12:24 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-24 21:12:24 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-24 21:12:24 98816 --a------ C:\WINDOWS\sed.exe
2008-07-24 21:12:24 80412 --a------ C:\WINDOWS\grep.exe
2008-07-24 21:12:24 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-24 21:12:23 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-24 20:53:53 94208 --a------ C:\WINDOWS\system32\nkzulclq.exe
2008-07-23 21:46:18 0 d-------- C:\Documents and Settings\uskbxl03\Application Data\Malwarebytes
2008-07-23 21:46:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 21:46:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 20:55:24 4206 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 20:43:43 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-23 20:43:43 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-23 20:43:43 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-23 20:43:43 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-23 20:43:43 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-23 20:43:42 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-23 20:43:42 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-21 22:52:08 0 d-------- C:\Program Files\rnzwmhf
2008-07-21 22:52:05 0 d-------- C:\Documents and Settings\All Users\Application Data\unohuxan
2008-07-21 22:52:00 77824 --a------ C:\WINDOWS\system32\onuhqjen.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-12 09:59:24 0 d-------- C:\Documents and Settings\uskbxl03\Application Data\Adobe
2008-06-27 16:00:53 0 d-------- C:\Documents and Settings\uskbxl03\Application Data\U3
2008-05-27 13:35:43 0 d-------- C:\Documents and Settings\uskbxl03\Application Data\MSN6


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 20:10]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 13:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 13:48]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 04:38]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 04:38]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 04:38]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 04:38]
"TpShocks"="TpShocks.exe" [2005-08-22 22:29 C:\WINDOWS\system32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 05:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 21:02]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-12-30 17:19]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 11:53 C:\WINDOWS\AGRSMMSG.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 12:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 11:59]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2005-07-22 23:18]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\\FaxCtrl.exe" [2003-09-01 23:32]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-21 09:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"UtilWinSet"="C:\WINDOWS\system32\onuhqjen.exe" [2008-07-21 22:52]
"cmdcfg"="C:\WINDOWS\system32\jqjuvqbc.exe" []
"CfgSmart"="C:\WINDOWS\system32\tyterwxc.exe" []
"strshui"="C:\WINDOWS\system32\nkzulclq.exe" [2008-07-24 20:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Register OCX"=regsvr32.exe /s msdxm.ocx

C:\Documents and Settings\uskbxl03\Start Menu\Programs\Startup\
.security [2008-07-23 20:53:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.security [2008-07-23 20:53:24]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-02-22 17:45:01]
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-03 11:26:13]
VPN Client.lnk - C:\WINDOWS\Installer\{06624881-CF7D-4F8A-86C0-5114B122E776}\Icon3E5562ED7.ico [2005-07-12 17:57:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoNTSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"9F8ATTTXED"=C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoFolderOptions"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UiCom"= {4354AA3D-341D-D542-D280-01732E429484} - C:\Program Files\rnzwmhf\UiCom.dll [2008-07-21 22:52 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 23:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{986e75ca-aa1e-11db-9e86-000d607d34c8}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3415130-e8ab-11d9-986c-00028af224a9}]
AutoRun\command- E:\setup.EXE




-- End of Deckard's System Scanner: finished at 2008-07-27 12:29:35 ------------









Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 510.92 MiB / 120.36 MiB
Pagefile Memory (total/avail): 1248.29 MiB / 850.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.27 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 12.46 GiB free.
D: is CDROM (No Media)
U: is Network (*NT5CSC)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Symantec Client Firewall v7.1.3.1039 (Symantec Corporation)
AV: Symantec AntiVirus Corporate Edition v9.0.3.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\uskbxl03\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LUSKBXL03C9KZ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\bcusers1\users\USCBXL03\data
LOGONSERVER=\\STCDC002
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Autodesk Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=c:\temp
TMP=c:\temp
USERDNSDOMAIN=us.kellogg.com
USERDOMAIN=US
USERNAME=uskbxl03
USERPROFILE=C:\Documents and Settings\uskbxl03
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

keladmin (admin)
Administrator (admin)
usvjxt30 (admin)
uskbxl03 (admin)
uskdnj02 (admin)
uscrlw08 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanelAnyText
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanel
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat 7.0 Standard - English, Français, Deutsch --> msiexec /I {AC76BA86-1033-F400-BA7E-100000000002}
Adobe ConnectNow --> C:\Documents and Settings\uskbxl03\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\acaddin.exe -uninstall
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD LT 2006 - English --> MsiExec.exe /I{5783F2D7-4009-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cisco Aironet Installation Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B34EEAF-2BD6-4323-B7C2-FB8968755ACC}\setup.exe" -l0x9 -removeonly
Cisco Systems VPN Client 4.6.02.0011 --> MsiExec.exe /X{06624881-CF7D-4F8A-86C0-5114B122E776}
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CorporateTime 5.1 --> MsiExec.exe /X{FF1DB6A0-42F1-4074-884F-DAD66A427C58}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
hp deskjet 6122 --> MsiExec.exe /X{E1F4FB82-3EA6-46B6-A18A-9B3A62DA393E}
hp deskjet 6122 series --> rundll32 hpzcon07.dll,VendorJettison hp deskjet 6122 series
IBM RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\SETUP.EXE" -l0x9 -AddRemove
IBM ThinkPad EasyEject Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}\SETUP.EXE" -l0x9 UNINSTALLFROMSYS
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel® PRO Network Connections Drivers --> Prounstl.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iPassConnect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6FFA58-F491-11D3-8951-000000025594}\setup.exe"
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Kellogg Cisco WiFi package version 2.6 --> c:\drivers\CiscoWiFi\setup.exe /remove
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Lotus Notes --> C:\WINDOWS\IsUninst.exe -fC:\Notes\Uninst.isu
Macromedia Flash Player --> MsiExec.exe /X{27579b3c-5470-4496-be6c-0c872674f19f}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Project Standard 2003 --> MsiExec.exe /I{903A0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Photron FASTCAM Viewer 2.4 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2A9355A3-A652-4F37-85B2-DB753E92DC46} /l1033
ProjectWise Explorer V8 XM Edition --> MsiExec.exe /I{482BA676-5C76-4B1C-98ED-11373B8C7CBD}
QuickTime --> c:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RFClient --> MsiExec.exe /I{B4846B86-556B-4F2A-9F42-C0DDE06EDF2D}
SAP Front End --> "C:\WINDOWS\SAPwksta\setup\sapsetup.exe" /uninstall
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Shockwave Player --> MsiExec.exe /X{930439A1-B49E-4A54-A499-31BDC1A91DE5}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Symantec Client Security --> MsiExec.exe /I{00CD72B3-E2DF-4DFC-BCC1-5CC4F564518D}
ThinkPad Integrated 56K Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014\HXFSETUP.EXE -U -ITkp0559K.INF
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkVantage Active Protection System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72806716-7088-41B2-8FA6-717A2A164DAB}\SETUP.EXE" -l0x9 anything
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
WinZip --> "c:\program files\winzip9sr1\winzip32.exe" /uninstall
WinZip Command Line Support Add-On 1.1 SR-1 --> C:\Program Files\winzip9sr1\winzip32 /auninstall wzcline


-- Application Event Log -------------------------------------------------------

Event Record #/Type3854 / Error
Event Submitted/Written: 07/27/2008 08:21:22 AM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type3853 / Warning
Event Submitted/Written: 07/27/2008 08:21:22 AM
Event ID/Source: 1202 / SceCli
Event Description:
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".

Event Record #/Type3851 / Error
Event Submitted/Written: 07/27/2008 05:32:52 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for US\uskbxl03 failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type3850 / Error
Event Submitted/Written: 07/27/2008 05:32:07 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type3849 / Error
Event Submitted/Written: 07/26/2008 10:01:40 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Packed.Generic.174 in File: C:\WINDOWS\system32\fmfmhqzy.exe by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8694 / Warning
Event Submitted/Written: 07/27/2008 08:32:24 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 8150 PCL 5e for Windows NT x86 Version-3 was added or updated. Files:- HPBF031G.DLL, HPBF031E.DLL, HPBF031I.PMD, HPBF031E.HLP, HPBFTM32.DLL, HPJCMN2U.DLL, HPPAPTS0.DLL, HPBMINI.DLL, HPBCFGRE.DLL, HPLJ8150.CFG, HPCDMC32.DLL, HPBAFD32.DLL, HPBMMON.DLL, HPDOMON.DLL, HPBHEALR.DLL, HPNRA.EXE, HPBOID.EXE, HPBPRO.EXE, HPPAPML0.EXE, HPBNRAC2.DLL, HPBMIAPI.DLL, HPBOIDPS.DLL, HPBPROPS.DLL, HPJIPX1U.DLL, HPPASNM0.DLL, HPPAPML0.DLL, HPBF031G.HPI.

Event Record #/Type8693 / Error
Event Submitted/Written: 07/27/2008 07:48:22 AM
Event ID/Source: 5789 / NETLOGON
Event Description:
Attempt to update DNS Host Name of the computer object
in Active Directory failed. The updated value was 'LUSKBXL03C9KZ'.
The following error occurred:
%%87

Event Record #/Type8653 / Error
Event Submitted/Written: 07/26/2008 09:31:06 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain US due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type8642 / Error
Event Submitted/Written: 07/26/2008 11:17:51 AM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain US due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type8641 / Warning
Event Submitted/Written: 07/26/2008 06:31:08 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-07-27 12:29:35 ------------
  • 0

Advertisements


#2
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hi and Welcome to Geekstogo.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
BCHurricane89

BCHurricane89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
alright, combofix was a PITA, had to run in like 8 times, before it worked, now I have find the log..

ComboFix 08-07-27.3 - uskbxl03 2008-07-27 18:44:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -4:00]
Running from: C:\Documents and Settings\uskbxl03\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

http://winupdate.us.kellogg.com
http://USOAKCWSRV024:80
.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-27 18:47 . 2008-07-27 18:47 53,248 --a------ C:\temp\catchme.dll
2008-07-27 13:45 . 2008-07-27 18:46 <DIR> d-------- C:\temp\Acrobat Distiller 7
2008-07-27 13:05 . 2008-07-27 13:05 <DIR> d-------- C:\temp\VBE
2008-07-27 12:28 . 2008-07-27 12:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 20:53 . 2008-07-24 20:53 94,208 --a------ C:\WINDOWS\system32\nkzulclq.exe
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Documents and Settings\uskbxl03\Application Data\Malwarebytes
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 21:46 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 21:46 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 21:26 . 2008-07-27 18:47 <DIR> d-------- C:\temp
2008-07-23 20:55 . 2008-07-23 20:55 4,206 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 20:43 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-23 20:43 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-23 20:43 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-23 20:43 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-23 20:43 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-23 20:43 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-23 20:43 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-22 17:33 . 2008-07-23 20:53 0 --ah----- C:\WINDOWS\.security
2008-07-22 17:33 . 2008-07-23 20:53 0 --ah----- C:\.security
2008-07-21 22:52 . 2008-07-21 22:52 <DIR> d-------- C:\Program Files\rnzwmhf
2008-07-21 22:52 . 2008-07-21 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\unohuxan
2008-07-21 22:52 . 2008-07-21 22:52 77,824 --a------ C:\WINDOWS\system32\onuhqjen.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 20:00 --------- d-----w C:\Documents and Settings\uskbxl03\Application Data\U3
2008-05-27 17:35 --------- d-----w C:\Documents and Settings\uskbxl03\Application Data\MSN6
2008-05-27 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"UtilWinSet"="C:\WINDOWS\system32\onuhqjen.exe" [2008-07-21 22:52 77824]
"strshui"="C:\WINDOWS\system32\nkzulclq.exe" [2008-07-24 20:53 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 20:10 94208]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 13:48 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 13:48 512000]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 04:38 208896]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 04:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 04:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 04:38 396288]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 05:10 212992]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 21:02 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-12-30 17:19 120640]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 12:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 11:59 126976]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2005-07-22 23:18 188416]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\\FaxCtrl.exe" [2003-09-01 23:32 110592]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-21 09:28 155648]
"TpShocks"="TpShocks.exe" [2005-08-22 22:29 86016 C:\WINDOWS\system32\TpShocks.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 11:53 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"9F8ATTTXED"="C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe" [2008-07-21 22:52 53248]

C:\Documents and Settings\uskbxl03\Start Menu\Programs\Startup\
.security [2008-07-23 20:53:24 0]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.security [2008-07-23 20:53:24 0]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-02-22 17:45:01 25214]
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22 10872]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-03 11:26:13 24576]
VPN Client.lnk - C:\WINDOWS\Installer\{06624881-CF7D-4F8A-86C0-5114B122E776}\Icon3E5562ED7.ico [2005-07-12 17:57:38 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoNTSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UiCom"= {4354AA3D-341D-D542-D280-01732E429484} - C:\Program Files\rnzwmhf\UiCom.dll [2008-07-21 22:52 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 23:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-06-06 14:59]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-06 14:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 04:38]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2005-05-16 11:29]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-10-27 10:50]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\csco21.sys [2005-08-12 18:14]
S3 PCAM1394;PCAM1394;C:\WINDOWS\system32\DRIVERS\PCAM1394.sys [2006-05-23 18:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{986e75ca-aa1e-11db-9e86-000d607d34c8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3415130-e8ab-11d9-986c-00028af224a9}]
\Shell\AutoRun\command - E:\setup.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-07-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2005-06-03 C:\WINDOWS\Tasks\BMMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 04:38]

2005-06-08 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 17:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-cmdcfg - C:\WINDOWS\system32\jqjuvqbc.exe
HKCU-Run-CfgSmart - C:\WINDOWS\system32\tyterwxc.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://intranet.kellogg.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://intranet.kellogg.com/
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 18:47:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-07-27 18:48:40
ComboFix-quarantined-files.txt 2008-07-27 22:48:37

Pre-Run: 13,261,946,880 bytes free
Post-Run: 13,254,651,904 bytes free

200 --- E O F --- 2008-07-27 21:48:33





Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57, on 2008-07-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\onuhqjen.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.kellogg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.kellogg.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://configscript....ard/INSTALL.INS
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UtilWinSet] C:\WINDOWS\system32\onuhqjen.exe
O4 - HKCU\..\Run: [cmdcfg] C:\WINDOWS\system32\jqjuvqbc.exe
O4 - HKCU\..\Run: [CfgSmart] C:\WINDOWS\system32\tyterwxc.exe
O4 - HKCU\..\Run: [strshui] C:\WINDOWS\system32\nkzulclq.exe
O4 - HKLM\..\Policies\Explorer\Run: [9F8ATTTXED] C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe
O4 - Startup: .security
O4 - Global Startup: .security
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.books24x7.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.ctadvantage.com
O15 - Trusted Zone: *.elementk.com
O15 - Trusted Zone: *.elm-wilke
O15 - Trusted Zone: *.elmsrv025
O15 - Trusted Zone: kelloggs.empowerdata.com
O15 - Trusted Zone: www.genesys.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: www.genesysmeetingcenter.com
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.us.kellogg.com
O15 - Trusted Zone: *.lbcity.biz
O15 - Trusted Zone: *.newhorizons.com
O15 - Trusted Zone: www.schneiderlogistics.com
O15 - Trusted Zone: *.shareholder.com
O15 - Trusted Zone: *.stcdev008
O15 - Trusted Zone: *.xatanet.net
O15 - Trusted Zone: *.zoomerang.com
O15 - Trusted Zone: *.books24x7.com (HKLM)
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.ctadvantage.com (HKLM)
O15 - Trusted Zone: *.elementk.com (HKLM)
O15 - Trusted Zone: *.elm-wilke (HKLM)
O15 - Trusted Zone: *.elmsrv025 (HKLM)
O15 - Trusted Zone: kelloggs.empowerdata.com (HKLM)
O15 - Trusted Zone: www.genesys.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: www.genesysmeetingcenter.com (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O15 - Trusted Zone: *.us.kellogg.com (HKLM)
O15 - Trusted Zone: *.lbcity.biz (HKLM)
O15 - Trusted Zone: *.newhorizons.com (HKLM)
O15 - Trusted Zone: www.schneiderlogistics.com (HKLM)
O15 - Trusted Zone: *.shareholder.com (HKLM)
O15 - Trusted Zone: *.stcdev008 (HKLM)
O15 - Trusted Zone: *.xatanet.net (HKLM)
O15 - Trusted Zone: *.zoomerang.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O21 - SSODL: UiCom - {4354AA3D-341D-D542-D280-01732E429484} - C:\Program Files\rnzwmhf\UiCom.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cisco Configuration Service (CCS) - Cisco Systems, Inc. - C:\WINDOWS\system32\ccs.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 12548 bytes

Edited by BCHurricane89, 27 July 2008 - 04:56 PM.

  • 0

#4
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\nkzulclq.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\onuhqjen.exe

Folder::
C:\Program Files\rnzwmhf
C:\Documents and Settings\All Users\Application Data\unohuxan

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"strshui"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"9F8ATTTXED"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UiCom"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
BCHurricane89

BCHurricane89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
ComboFix 08-07-27.3 - uskbxl03 2008-07-27 22:43:47.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.80 [GMT -4:00]
Running from: C:\Documents and Settings\uskbxl03\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\uskbxl03\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\nkzulclq.exe
C:\WINDOWS\system32\onuhqjen.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\unohuxan
C:\Documents and Settings\All Users\Application Data\unohuxan\mxoxapqz.exe
C:\Program Files\rnzwmhf
C:\Program Files\rnzwmhf\UiCom.dll
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\nkzulclq.exe
C:\WINDOWS\system32\onuhqjen.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-27 22:46 . 2008-07-27 22:46 53,248 --a------ C:\temp\catchme.dll
2008-07-27 22:41 . 2008-07-27 22:41 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-27 20:43 . 2008-07-27 21:32 <DIR> d-------- C:\temp\VPMECTMP
2008-07-27 20:33 . 2008-07-27 20:33 <DIR> d-------- C:\temp\msohtml1
2008-07-27 20:33 . 2008-07-27 20:33 <DIR> d-------- C:\temp\msohtml
2008-07-27 19:22 . 2008-07-27 19:22 81,920 --a------ C:\WINDOWS\system32\vmxaxodc.exe
2008-07-27 13:45 . 2008-07-27 22:45 <DIR> d-------- C:\temp\Acrobat Distiller 7
2008-07-27 13:05 . 2008-07-27 13:05 <DIR> d-------- C:\temp\VBE
2008-07-27 12:28 . 2008-07-27 12:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Documents and Settings\uskbxl03\Application Data\Malwarebytes
2008-07-23 21:46 . 2008-07-23 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 21:46 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 21:46 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 21:26 . 2008-07-27 22:46 <DIR> d-------- C:\temp
2008-07-23 20:55 . 2008-07-23 20:55 4,206 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-22 17:33 . 2008-07-23 20:53 0 --ah----- C:\WINDOWS\.security
2008-07-22 17:33 . 2008-07-23 20:53 0 --ah----- C:\.security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 20:00 --------- d-----w C:\Documents and Settings\uskbxl03\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"cmdcfg"="C:\WINDOWS\system32\jqjuvqbc.exe" [BU]
"CfgSmart"="C:\WINDOWS\system32\tyterwxc.exe" [BU]
"comstrwin"="C:\WINDOWS\system32\vmxaxodc.exe" [2008-07-27 19:22 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 20:10 94208]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 13:48 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 13:48 512000]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 04:38 208896]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 04:38 110592]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 04:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 04:38 396288]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 05:10 212992]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 21:02 67184]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-12-30 17:19 120640]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 12:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 11:59 126976]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2005-07-22 23:18 188416]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\\FaxCtrl.exe" [2003-09-01 23:32 110592]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-21 09:28 155648]
"TpShocks"="TpShocks.exe" [2005-08-22 22:29 86016 C:\WINDOWS\system32\TpShocks.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 11:53 88363 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.security [2008-07-23 20:53:24 0]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2006-02-22 17:45:01 25214]
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 09:18:22 10872]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-03 11:26:13 24576]
VPN Client.lnk - C:\WINDOWS\Installer\{06624881-CF7D-4F8A-86C0-5114B122E776}\Icon3E5562ED7.ico [2005-07-12 17:57:38 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoNTSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 23:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-06-06 14:59]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-06 14:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 04:38]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2005-05-16 11:29]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-10-27 10:50]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\csco21.sys [2005-08-12 18:14]
S3 PCAM1394;PCAM1394;C:\WINDOWS\system32\DRIVERS\PCAM1394.sys [2006-05-23 18:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{986e75ca-aa1e-11db-9e86-000d607d34c8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3415130-e8ab-11d9-986c-00028af224a9}]
\Shell\AutoRun\command - E:\setup.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-07-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2005-06-03 C:\WINDOWS\Tasks\BMMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 04:38]

2005-06-08 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 17:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-UtilWinSet - C:\WINDOWS\system32\onuhqjen.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 22:46:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-07-27 22:48:12
ComboFix-quarantined-files.txt 2008-07-28 02:48:09
ComboFix2.txt 2008-07-27 22:48:41

Pre-Run: 13,607,796,736 bytes free
Post-Run: 13,602,426,880 bytes free

189 --- E O F --- 2008-07-28 01:45:25











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50, on 2008-07-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.kellogg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.kellogg.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://configscript....ard/INSTALL.INS
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cmdcfg] C:\WINDOWS\system32\jqjuvqbc.exe
O4 - HKCU\..\Run: [CfgSmart] C:\WINDOWS\system32\tyterwxc.exe
O4 - HKCU\..\Run: [comstrwin] C:\WINDOWS\system32\vmxaxodc.exe
O4 - Global Startup: .security
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.books24x7.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.ctadvantage.com
O15 - Trusted Zone: *.elementk.com
O15 - Trusted Zone: *.elm-wilke
O15 - Trusted Zone: *.elmsrv025
O15 - Trusted Zone: kelloggs.empowerdata.com
O15 - Trusted Zone: www.genesys.com
O15 - Trusted Zone: *.genesys.com
O15 - Trusted Zone: www.genesysmeetingcenter.com
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.us.kellogg.com
O15 - Trusted Zone: *.lbcity.biz
O15 - Trusted Zone: *.newhorizons.com
O15 - Trusted Zone: www.schneiderlogistics.com
O15 - Trusted Zone: *.shareholder.com
O15 - Trusted Zone: *.stcdev008
O15 - Trusted Zone: *.xatanet.net
O15 - Trusted Zone: *.zoomerang.com
O15 - Trusted Zone: *.books24x7.com (HKLM)
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.ctadvantage.com (HKLM)
O15 - Trusted Zone: *.elementk.com (HKLM)
O15 - Trusted Zone: *.elm-wilke (HKLM)
O15 - Trusted Zone: *.elmsrv025 (HKLM)
O15 - Trusted Zone: kelloggs.empowerdata.com (HKLM)
O15 - Trusted Zone: www.genesys.com (HKLM)
O15 - Trusted Zone: *.genesys.com (HKLM)
O15 - Trusted Zone: www.genesysmeetingcenter.com (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O15 - Trusted Zone: *.us.kellogg.com (HKLM)
O15 - Trusted Zone: *.lbcity.biz (HKLM)
O15 - Trusted Zone: *.newhorizons.com (HKLM)
O15 - Trusted Zone: www.schneiderlogistics.com (HKLM)
O15 - Trusted Zone: *.shareholder.com (HKLM)
O15 - Trusted Zone: *.stcdev008 (HKLM)
O15 - Trusted Zone: *.xatanet.net (HKLM)
O15 - Trusted Zone: *.zoomerang.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.kellogg.com,kellogg.com
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cisco Configuration Service (CCS) - Cisco Systems, Inc. - C:\WINDOWS\system32\ccs.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 12059 bytes
  • 0

#6
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#7
BCHurricane89

BCHurricane89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Alright, my log is below, but I keep getting these pop-ups (see attachment)




Malwarebytes' Anti-Malware 1.23
Database version: 1002
Windows 5.1.2600 Service Pack 2

6:41:19 PM 7/28/08
mbam-log-7-28-2008 (18-41-19).txt

Scan type: Quick Scan
Objects scanned: 49866
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Thumbnails

  • trojan2.JPG
  • trojan.JPG

Edited by BCHurricane89, 28 July 2008 - 04:49 PM.

  • 0

#8
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Do they give you a file-path to the infected files?
  • 0

#9
BCHurricane89

BCHurricane89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
nope, they dont, and if you click enable portection it takes you some phony spywar ewebsite type thing, so I just close them
  • 0

#10
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Thanks, that helps. :)

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
  • 0

#11
BCHurricane89

BCHurricane89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
AC3Filter (remove only)
Adobe Acrobat 7.0 Standard - English, Français, Deutsch
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Agere Systems AC'97 Modem
Apple Software Update
ATI Display Driver
AutoCAD LT 2006 - English
Autodesk DWF Viewer
CCleaner (remove only)
Cisco Aironet Installation Program
Cisco Systems VPN Client 4.6.02.0011
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
CorporateTime 5.1
DivX Codec
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
hp deskjet 6122
hp deskjet 6122 series
IBM RecordNow!
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Presentation Director
IBM Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Connections Drivers
InterVideo WinDVD
iPassConnect
J2SE Runtime Environment 5.0 Update 4
Kellogg Cisco WiFi package version 2.6
LiveUpdate 2.0 (Symantec Corporation)
Lotus Notes
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office Project Standard 2003
Microsoft Office Standard Edition 2003
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Photron FASTCAM Viewer 2.4
ProjectWise Explorer V8 XM Edition
QuickTime
RFClient
SAP Front End
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Shockwave
Shockwave Player
Sonic Update Manager
Symantec Client Security
ThinkPad Integrated 56K Modem
ThinkPad Power Management Driver
ThinkPad UltraNav Driver
ThinkVantage Active Protection System
Time Zone Data Update Tool for Microsoft Office Outlook
Tweak UI
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6a
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
WinZip
WinZip Command Line Support Add-On 1.1 SR-1
  • 0

#12
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hi,

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

-----------------------------------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#13
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP